This was fun! I implemented the requirements for this project by utilizing a Google Cloud Compute VM, running Apache (web server of choice). I utilized a simple PHP script that would return all the HTTP headers from a client device in the browser window.
I linked the Apache server to my Cloudflare domain (already had an existing account & domain on Cloudflare, albeit, the domain was unused) by utilizing an A record pointing to my GCP VM IPv4 address. Them, I created a CNAME that allowed me to access the domain using www in my browser window.
After this, I toggled proxy for both of the records, and refreshed my browser, and was able to access the web page and view the Cloudflare specific headers.
To secure the communication between the visitor, I navigated to the SSL/TLS settings panel on the Cloudflare dashboard. I made TLS 1.2 the minimum for all traffic between my client and Cloudflare (knowing full well the traffic between Cloudflare and my GCP VM was still regular HTTP).
In order to increase the security between Cloudflare and my GCP VM, I setup Cloudflared Tunnels on my GCP VM. This was relatively simple, as the CLI tool walked me through it.
Afterwards, I created two WAF rules, now understanding how Cloudflare works. This allowed me to test blocking US IPs, as well as force Canadian IPs to take a challenge (leaving all other countries unrestricted).
Yes! Up until this point, I had not used Apache, PHP, Google Cloud VMs, or Cloudflare for anything whatsoever.
Learning these new platforms/technologies was fun! I filled in gaps by using the internet and AI tools like ChatGPT to walk me through/help me understand how to work with Google Cloud, how certain functions in PHP worked, and the general setup for Apache on Ubuntu.
I ran into a lot of issues getting my VM up and running, as I did not follow Google’s instructions properly. As a result, I had to create a separate firewall rule in GCP to allow my VM to ingress traffic from port 80 (a requirement to use a Cloudflare domain, and also to be able to do anything remotely with this VM).
Another issue I ran into was testing my WAF rules, however, this was because I didn’t slow down and make sure to hit save when creating new rules :)
Cloudflare Dashboard: This is where you can view the domains you have connected to your account, and view data, manage DNS records, manage security rules, and manage WAF rules, and much more.
Cloudflare SSL/TLS Settings: By navigating to the Edge Certificates tab, users can set a minimum TLS version for the connection between a client device and Cloudflare
Cloudflare WAF: Add custom rules (free!) to prevent malicious traffic from accessing your page, as well as prevent bot attacks, etc.
Yes, I noticed this when I initially connected straight to my Apache server, I received far less headers in the pages initial response.